edoceo

OpenVPN Server Installation and Configuration

OpenVPN is an awesome Open Source VPN package, the 2.0 versions are solid, reliable and secure. Edoceo has been providing VPN services and commerical support for this product since late 2003. It is fully functional and stable on Apple, Linux and Windows platforms, ready for the enterprise.

OpenVPN Server

Here's a complete OpenVPN Server configuration file. It creates a VPN Gateway device that allows clients on the VPN to access machines on the internal side subnet. For an explanation of all the options please see the OpenVPN Howto Guide.

Configuring OpenVPN Server

If this is the first OpenVPN server, or a fresh install the necessary Certificates must be created. The example below creates a certificate for the server, two clients as well as the tls-auth and diffe-hellman files.

cd /usr/share/openvpn/easy-rsa
. vars
./build-ca
./build-key-server vpnhost
./build-key clientA
./build-key clientB
./build-dh

Copy the necessary files to the OpenVPN configuration directory.

cp keys/ca.crt /etc/openvpn/
cp keys/dh1024.pem /etc/openvpn/
cp keys/server.crt /etc/openvpn/
cp keys/server.key /etc/openvpn/

And make the tls-auth key.

openvpn --genkey --secret /etc/openvpn/ta.key

The local network devices 10.65.0.0/24 as the Internal or Office network and 10.65.76.0/24 as the VPN subnet.

# OpenVPN Server Gateway
# Gives Access to the Internal Network

# Base Options
dev tun
server 10.65.76.0 255.255.255.0
port 1194
# These two don't apply on Windows
user nobody
group nobody

# Certificate/Security Options
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
tls-auth ta.key 0

# Tunnel Options
cipher AES-256-CBC
comp-lzo
# Client should match this
keepalive 10 120
persist-key
persist-tun

# DHCP Options
# DNS Suffix
# push "dhcp-option DOMAIN office.example.com"
# Sent a DNS Server to the Client (if client does pull)
# push "dhcp-option DNS 10.65.76.1"
# Sent a WINS Server to the Client (if client does pull)
# push "dhcp-option WINS 10.65.76.1"
# Route to Internal Network, add more as necessary
# push "route 10.65.0.0 255.255.255.0"

# Output/Status Settings
ifconfig-pool-persist ippool.out
status status.out
verb 3

The options above should be changed to match the readers environment. Most notably the DHCP Push options should be set to reasonable values.

OpenVPN Concentrator

Use the above Server configuration but add the following. This will let other clients see each other.

client-to-client

OpenVPN Client Configuration

The current OpenVPN 2.1 clients have worked flawlessly for us since RC3. We're currently running various flavours of the 2.1 RC installs, RC3 through RC13. Here is a client for the above configuration

ca ca.crt
cd /path/to/vpn/config
cert client.crt
comp-lzo
dev tun
group nobody
keepalive 15 120
key client.key
ns-cert-type server
persist-key
persist-local-ip
persist-tun
pull
remote vpn.example.com
tls-auth ta.key 1
user nobody
verb 3

OpenVPN Clients on Apple

Mac OS X clients can use the same configuration as Linux clients. The cd parameter will need to be modified.

OpenVPN Client on Microsoft Windows

Use the same configuration as above but comment out the cd, group and user parameters.

# cd /path/to/vpn/config
# group nobody
# user nobody

See Also

ChangeLog

  • 21 Jul 2010 - More updates for OpenVPN operation /djb
  • 04 Sep 2008 - Updated to include Clients /djb
  • 10 Oct 2007 - Updated the client configs, fixed typos
  • 07 Nov 2005 - Created /djb

Loading Comments from Disqus...